How to skip unrecognizable packets in saved pcap files

[Ye Deng <yedeng0 () gmail com>]

Hello all,

I have a serious issue when using libpcap functions to process pcap files.
The error happens when I use pcap_next_ex() function to get packets from
saved pcap files one-by-one. The pcap_next_ex() terminates processing, and
returns an error saying, *"bogus savefile header"*.

Therefore I may want to know: how to skip the unrecognizable packets, and
let libpcap functions to process the resting valid packets? I really prefer
to use some *existing* modules/tools to do the job.
I tried "mergecap" and "editcap", and found they cannot skip
the unrecognizable packets. Are there some "improved mergecap/editcap" can
do the job, and produce pcap files without any unrecognizable packet?

After I did some researches online, I found the "unrecognizable packets" may
be generated by file transfers using HTTP/FTP in some text mode.
Please search "corrupt" on this webpage below.
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
Therefore, I think the pcap-next-generation-dump-file can deal with this
issue.
But I tried "pcap-ng" in Wireshark, and got an assertion failure during
every capturing test, which shows that the "pcap-ng" related functions are
still unfinished...

Also, I read the source code of libpcap, that error happens when length of
captured packet is considered too big.
In "/libpcap-1.1.1/sf-pcap.c"
In this function below:
static int pcap_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char
**data)
{
... ...
if (hdr->caplen > 65535)
{ snprintf(p->errbuf, PCAP_ERRBUF_SIZE,"bogus savefile header");
return (-1); }
... ...
}

Basing on the pcap file format:
http://wiki.wireshark.org/Development/LibpcapFileFormat
I think it is possible to do a "magic number searching" when the if() above
is true. The bytes holding that "magic number" can be considered as the
beginning of next valid packet.
Notice that every valid packet has a timestamp in packet header.
typedef struct pcaprec_hdr_s {
guint32 ts_sec; /* timestamp seconds */
guint32 ts_usec; /* timestamp microseconds */
guint32 incl_len; /* number of octets of packet saved in file */
guint32 orig_len; /* actual length of packet */
} pcaprec_hdr_t;
If we know the range of the capturing time, we can use some bytes in
"pcaprec_hdr_s.ts_sec" as the "magic number".

Did anyone implement such an unrecognizable-packet-skipping function/module
before?
I really want to find some *existing* module or tools that can do the
skipping job.
I will appreciate a lot if someone can help me for this.


Regards,
Deng

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe